skills/promptadvisers/claude-code-polished-documents-skills/web-artifacts-builder/Gen Agent Trust Hub
web-artifacts-builder
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The skill utilizes shell scripts (
init-artifact.shandbundle-artifact.sh) to automate project setup. These scripts use standard tools likepnpm,npm,sed, andtarto manage files and dependencies. This behavior is consistent with the skill's primary purpose. - [EXTERNAL_DOWNLOADS] (SAFE): The scripts download standard frontend packages from the official npm registry. No unauthorized or suspicious remote sources were identified.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill has an attack surface for indirect prompt injection as it processes user-provided project names and code. 1. Ingestion points:
scripts/init-artifact.shaccepts a project name as a command-line argument. 2. Boundary markers: Absent. 3. Capability inventory: File system write operations, command execution viapnpm, and network access for package downloads. 4. Sanitization: Absent; input is used directly in shell commands.
Audit Metadata